If you are unlucky enough to have to deal with an investigation in your company, one of the first tasks is to gather up all the evidence while it is still available, so that the investigator can review it. Some evidence is obvious: papers and letters, a weapon, clothing. Digital evidence isn’t always so obvious, especially if the charge isn’t specifically related to emails, the internet, or texting. But it needs to be gathered promptly, before anyone tampers with it, and it needs to be done properly.
The safest way to deal with digital evidence is to find an expert in forensic work with technology – and talk to your lawyer. If you have to move quickly, here are a few things to think about:
- Include internet browsers, emails, chat, IM, texting, and social media in your consideration
- Was any company-owned equipment involved? If so, unplug, turn off, and quarantine the computer, cell phone, or device immediately.
- Make sure that all evidence, either the actual digital form or the physical devices, is kept secure and with a chain of custody. If not, it will be of doubtful value to an investigator.
- If you collect a cell phone, put it in a Faraday evidence bag, which is shielded to prevent wiping of data from a distance. Consider removing the battery, too.
- Be careful about taking pictures of evidence with a cell phone. If there is child pornography involved, in particular, you can end up in much worse trouble for possessing and (if you send it to anyone else) transmitting it.
One thing you can do now is to make sure that you have and disseminate a policy that states that company-owned computers and phones are company property and that employees have no expectation of privacy for anything they use them for. This gives you the right to examine the devices and their contents in an investigation. It doesn’t hurt to remind people that even deleted information can often be retrieved; it might keep them from using your computers in the first place.
Thanks to Karen Palmer and Thomas Singer for a great presentation!